Tools To Squash the Botnets 135
Roland Piquepaille writes "This is the intention of Paul Barford, a computer scientist at the University of Wisconsin-Madison. He wants to build a new line of defense against malicious traffic which has become today a billion-dollar 'shadow industry.' As one of 'the most menacing aspects of botnets is that they can go largely undetected' by a PC owner, he developed a new computer security technique for detecting network intrusions. His system has a 99.9% detection rate of malicious signatures, roughly equivalent to some of the best commercial systems. But it has zero false positives when commercial systems have high numbers. This new system could soon be available commercially."
Tools To Squash the Botnets - Squashed (Score:2, Funny)
Re: (Score:1, Insightful)
I don't see that. (Score:5, Insightful)
The zombies can simply flood your pipeline. There are that many of them.
Re: (Score:3, Funny)
You'd know that if you RTFA.
You cannot do that. (Score:2)
Yeah, like that will go over well.
Not to mention that, AGAIN, the most commonly used protocol in infecting those machines is HTTP (with SMTP being a close second).
Is this prior art? (Score:3, Informative)
And that is with 30 seconds of Google searching. I thought I had heard of that concept before.
Search Google with "worm 'protocol validation'".
Re:I don't see that. (Score:5, Funny)
Re: (Score:2)
Re:I don't see that. (Score:5, Insightful)
Re: (Score:2, Insightful)
but why do they leave the tails on in pasta or pad thai.
Re: (Score:2, Interesting)
I know a few chefs and have asked them, the reasons:
1. that's how they were taught to do it
2. they think it is better "presentation"
3. it makes the shrimp look bigger
so not only are they being annoying, they're also being dogmatic, pretentious and deceitful.
Re:I don't see that. (Score:5, Funny)
I thought the easiest way was to link them from a Slashdot article.
Talk about a zombie army...
Re: (Score:1)
Hey! I resemble that remark!
Re: (Score:1)
Re: (Score:2, Funny)
Re: (Score:1)
Re:I don't see that. (Score:5, Interesting)
I still think he should use that as a basis for firewalling IPs off, but I guess it doesn't matter in the end.
Re: (Score:1)
Re:I don't see that. (Score:4, Interesting)
It could be some request error that instead of checking once a day ends up checking onces every five minute or something of the sort. It is likely something along the lines of the gaming community that is supposed to help gamers connect to each other through firewalls. I have seen a Java app that does this but don't remember the name.
Re: (Score:2)
Re: (Score:2)
I remember NetGear was also guilty [slashdot.org] of this for DDoS'ing the University of Wisconsin.
Re: (Score:2)
Translation: (Score:5, Insightful)
What's with this blatant ad? When and if they ship a product or release their technology, we can talk about it. But right now it's just a bunch of hot air.
Re: (Score:1)
Not only that, but there are NO details. (Score:5, Interesting)
And the claims he is making do NOT fit with how machines are infected or how the zombies are used.
Intrusion Detection Systems are based around knowing YOUR traffic. And finding patterns that do NOT match what is normal for your network.
They include patterns for known exploits
But there SHOULD be a finite number of LEGITIMATE patterns on your corporate network.
Instead of claiming "new" ways of "faster" identification of "bad" stuff, a real improvement would be faster identification of LEGIT patterns.
I'm thinking "snake oil" here.
Re:Not only that, but there are NO details. (Score:5, Funny)
Only two bits a bottle. Worth a dollar a drop! Step right up! Step right up!
Re: (Score:3, Insightful)
SO he gets the word out that he is on top of this. Going to release a product and Blah Blah Blah. What it does is show that the obviousness was because he pointed it out. This makes it unique that he might obtain a patent and so on. In 5
So in other words... (Score:5, Insightful)
Re: (Score:2)
Not that this is a very easy sell.. but it is in the interests of the ISP, as spam and DDoS continues eats up their bandwidth.
Re: (Score:2)
Re:So in other words... (Score:5, Insightful)
220 foo.bar.baz.MIL (Well hello there)
EHLO so.i.say.mil
250-foo.bar.baz.MIL offers THREE extensions:
250-8BITMIME
250-PIPELINING
250 DSN
RCPT <exploit@blah.4312&<*~EYN%#^H$%Y$H$W#UJSFBSZCDT^^^&^&##$%FGE#$%$$$$$$$$$$$!/bin/sh$@!#>
# id
uid=0(root) gid=0(root) groups=0(root)
# cd
# ls -l
drwxr-xr-x 4 steve users 4096 2007-05-01 18:26 steve
drwxr-xr-x 4 bob users 4096 2007-05-01 18:26 bob
drwxr-xr-x 4 tony users 4096 2007-05-01 18:26 tony
drwxr-xr-x 4 anne users 4096 2007-05-01 18:26 anne
pretty obvious that the server didn't reply to the RCPT request correctly isn't it?
Re:So in other words... (Score:4, Insightful)
It's not impossible, but it is hard, doubly so if you intend your product to be a good one... and the utility may be rather marginal.
Re: (Score:2)
Re: (Score:2)
Getting installed on the system isn't the hard part, people willingly listen to Britney Spears for cryin out loud.
Once on the system, multiple communication applications could be used to communicate from zombie to zombie. Why would anyone suspect that the random person sending them an IM was actually a front for zombie
Let's look at this logically. (Score:4, Insightful)
Now, what if the mail server is responding with a "user not found" error in a multi-line format? Does that trigger your IDS?
If not, why? Or are you going to set patterns for EVERY possible, legitimate, response so you'll be able to find the ones that don't match it?
Yeah, good luck with that. You should start working on it now. Maybe in 10 years of so you'll have caught all the possible legit patterns for everything available today.
That is why current IDS's depend so much upon the ADMINS training the IDS's to what is LEGIT traffic for their particular network.
Which yields a LOT of "false positives" in the early stages (and immediately after upgrades). But if I'm running Exim4, why should my IDS be looking for patterns of Exchange responses? Or Sendmail responses? Or anything else?
Despite what that guy claims, there is no easy way to identify the bad without having a person identify what is good.
Re: (Score:2)
It will, I'm sure, be done/possible eventually. But based on my understanding of the field, we aren't there, yet.
Re: (Score:3, Insightful)
You seem to be of the impression that ISPs care about bandwidth. Here's a clue-by-four for you...
They don't.
In fact, they want as much bandwidth being eaten up as possible to support their claims of "teh tubes are clogged!!!111!!! We need to get evil Google (YouTube) to pay more since they are obviously the cause!" to Congress.
Re: (Score:2)
Re: (Score:1)
All it needs is just one bit. (Score:5, Funny)
Talk by Paul Barford (Score:5, Informative)
Abstract:
Network attacks and intrusions have been a fact of life in the Internet
for many years and continue to present serious challenges for network
researchers and operators alike. The objective of our work is to develop
tools and systems that automate or otherwise enhance key activities of
network security analysts. In the first part of this talk, I will describe
our malicious traffic assessment activities using our Internet Sink
(iSink) system for dark address space monitoring. iSink is a highly
scalable system that includes both passive packet capture and a set of
stateless active responders that enable details of exploits to be
captured. Our results illustrate the variability in the traffic on dark
address space and the feasibility of efficient classification of attack
types. I will also describe how data from dark address space monitors can
be used to provide near real time network "situational awareness" for
security analysts. iSink data is also the basis for our Nemean system that
automatically synthesizes signatures for intrusion detection. Unlike
standard intrusion signatures, Nemean's signatures are protocol aware
which we show greatly enhances their resilience to false alarms. I will
describe Nemean, and conclude with a brief description of our current
activities in adapting Nemean into a real time intrusion prevention
system.
Where: Grad. Lounge
When: Thursday 27th Oct 2005 11 am.
2 years from lab to startup, not bad dude.
Re: (Score:2)
Re: (Score:2)
Your public tax dollars at work once again.
Re: (Score:2)
If they really "want to see their research become useful outside the ivory tower" then place it in the public domain and let EVERYONE have access to it. I assure you the patents will find more uses than if they're harbored inside a single company.
Re: (Score:2)
It's called... (Score:1, Funny)
One more thing (Score:3, Funny)
See spot run. Run Spot! Run! (Score:5, Insightful)
Boo! Botnet! Boo!
Bad Botnet! Bad! Bad! Bad!
We can save you! We have Patented Technology!
All Hail our most Holy Precious Intellictual Property!
Hail IP! Hail! Botnet! Boo!
OK, can some one 'splain to me Lucy why this obvious and fact lacking
bit of pre-IPO spin made it to SlashDot? Is there anyone that can tell me
excactly how technology that allows for 99.9 percent accuracy with zero false
positives actually works? Remember, we're talking millions of infected botnet
systems with ZERO false positives. Make millions of ANYTHING and you're going
to have a few errors here and there.
This is great if it's true, however, I'm highly skeptical without more hard
facts that this is anything other than vaporware and high hopes for an early
buyout. Gee! FOUR patents!
I'll bet I could get four patents on a process to pick my teeth with a toothpick.
Not that I think it honest, you understand...
Re: (Score:2)
Re: (Score:3, Interesting)
.
Well, Darl is a bit short of cash right now, seeing how he's busy transfering a patent to cattleback and all. And, oh, My, we forgot to pay anything for that transfer! Ooops! OUR BAD! Please let us make it right and do it now we've filed for bankrupcy! We'll just move anything of value out of SCOX and leave it with nothing but the bills while we move anyt
Re: (Score:1)
As a thought exercise I tried to figure out how. This is what I came up with: Set up a secure monitoring server on some random isolated IP address, no DNS name pointing to it or anything. If something connects it's probably malicious, especially if it tries to get all gay with the various known-to-be-vulnerable ports. Propigate that IP to the ISP/company routers' black
Re: (Score:2)
And malware authors work around it by probing. If they suspect that an address in a network is used for a honeypot to blacklist any IP that touches it, then they do a simple binary search to find out which addresses are used, then they stop hitting those addresses.
Of course, that's only for searching out vulnerabilities with a worm that automatically propagates. How would you get the same statistical results, only when the attack vector is spam containing
Re: (Score:3, Interesting)
And see exactly what? That someone is running honeypots? I don't need to look to know that, I run honeypots myself. I've more than two dozen sytems running multiple VM honeypot software from home grown to open source to closed source IDS'es. Let me be clear: I currently run $many to $shitpots of honeypot systems, with Sun boxen, AIX boxen, and WinTel platforms. Mostly these are "spares" to use when a production system goes down. It's a way to keep them "w
Re: (Score:2)
I agree that lots of wild claims are made, and I'm skeptical, too. It would be nice if there was more information.
Re: (Score:2)
commercially. (Score:3, Interesting)
i'm not trying to say it HAS TO be free. hell, most of the people that have compromised machines won't know they need the software and where to get it, free or commercial or whatever. just kind of wondering out loud is all.
Snort! (Score:2)
But then
There's not enough info in that "article" ("ad") to say whether his work is even as good as Snort. Let alone better.
Re: (Score:1)
Not necessarily. If the solution was free, some (and I'm not saying all) users/managers wouldn't take it seriously. Charge them for it, and they'll want it, install it, run it, update it, whatever in order to justify spending money on it. Make it free and for some of them they'll consider installing it, and if they get that far, forget about ever running or updating it. For these people, free=worthless.
Let me see if I've got this straight. (Score:2)
I have an idea! (Score:5, Insightful)
It would be relatively simple to create a web page that could enable/disable these protocols... the page would know which IP, as you would be connecting from it, and could be protected by a simple captcha or password to make it difficult for malware to enable these protocols itself.
Obviously, the user could disable all filtering if they so desired.
This solution would prevent a ton of issues for most users, while still allowing those of us who are wise enough to monitor our own systems to enable everything ourselves.
In addition, why don't ISP's notify the user if they suddenly see an unusual amount of traffic on an unusual port or protocol... a simple email to say "we are seeing IRC traffic on your connection, you have never used IRC in the past. Some malicious software communicates via IRC protocols which may cause this unusual activity. Please read this linked article if you would like to know more."
I realize that most of us would rather our ISP stay out of our online activity... however I feel that if they actively participated in preventing the spread of malware on thier customers machines, they would not only increase customer satisfaction, but reduce the bandwidth being wasted. At first it would be an expense, but as the network was cleared of wasted traffic it would eventually pay for itself.
Re:I have an idea! (Score:5, Insightful)
They could up the bandwidth and do it that way.
The *much, much* cheaper way would be to just configure the routers that come with the DSL and cable modems to be more restrictive by default and tell the users to change the settings themselves.
I wonder why they don't do that?
Re: (Score:2)
Seriously, have them change the default password first and put it on a sticker on the box.
Re: (Score:2)
Whether that saves enough bandwidth to be cheaper TCO, I'm not sure, but that's not really what we were discussing. I get the feeling you were talking about implementing versus not rather than the type of implementation, since the support calls would be about the same whether you went to a website that's actually running on your
Re: (Score:3, Insightful)
Re: (Score:2)
Not reading a sheet of paper. You know...the one that will come with the installation that has the randomly generated key for the password to access the router?
There isn't one now, but if you're going to be doing this to stop hackers, then you'd (obviously, as you point out) want to do this.
Re: (Score:1)
Re: (Score:2)
At ISP scale, the vast majority of common ports are used for legitimate traffic by someone. That's what makes them common ports.
"It would be relatively simple to create a web page that could enable/disable these protocols... the page would know which IP, as you would be connecting from it, and could be protected by a simple captcha or password to make it difficult for malw
Re: (Score:2)
I am more concerned about outbound traffic as it relates to the article in question... if the ISP prevented everything but http(s) traffic by default and you had to manually enable other forms of traffic by visiting a website and selecting
Re: (Score:1)
I like the unusual traffic notifications. It reminds me of the credit card companies' notifications about odd purchases, except the volume of traffic to monitor would be several
Ahoy! Press release! (Score:5, Interesting)
Does he think slashdot readers don't read the article or something?
Re: (Score:2)
Mod parent up! (Score:2)
Re: (Score:3, Insightful)
is meaningless drivel, since the commercial systems aren't named and the supposed testing procedure and experimental data is not described and certainly not controllable by others.
Instead this is a content-less advertising press release (as can be easily seen by no
BotHunter, anyone? (Score:4, Informative)
http://www.cyber-ta.org/releases/botHunter/ [cyber-ta.org]
From the site: BotHunterTM is a novel, dialog-correlation-based engine (patent-pending), which recognizes the communication patterns of malware-infected computers within your network perimeter. BotHunterTM is a passive traffic monitoring system, which ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection. When a sequence of in and outbound dialog warnings are found to match BotHunter's infection dialog model, a consolidated report is produced to capture all of the relevant events and event sources that played a role during the infection process.
There's also a great PDF available showing a full dissection of a Storm variant.
false positives (Score:4, Insightful)
That's the fault of the developers. (Score:2)
And since their product is based upon defeating that very limited set of threats
The concept of protocol validation is good. But not for an IDS. It is better as part of the firewall protecting that server running that service. BUT! That also means that it needs to be able to shut off access to that server when it sees ANYTHING it d
Unworthy article (Score:5, Insightful)
Great (Score:3, Insightful)
There are really only two reasons why botnets and their associated malware have become so prevalent. All other apparent causes stem from these two reasons:
- The Windows monoculture. When this accounts for over 90% of all desktop installations, it's much easier to write a single worm/trojan/virus/etc that can single-handedly infect many thousands of hosts. This greatly reduces the number of vulnerabilities that need to be targeted and the knowledge necessary to exploit them on a large scale, which is a situation that favors the blackhats tremendously. If nature handled genetics this way, then the first lethal contagious disease to come along would destroy civilization. There are good reasons other than their business practices why the Microsoft monopoly is a bad idea. No matter how hard they work to improve security, there will be vulnerabilities, and due to this monopoly any single vulnerability will instantly affect millions of hosts. If you want the Internet overall to be a more secure place, this is not a good start. I believe this would be the case with any single vendor controlling this much of the market. Consider also that security is not the only selling point of Windows; convenience and "easier to use than EVER!" are also major factors and (especially convenience) are not compatible with security. The boilerplate nature of most commercial software is also a factor here.
- The lack of education of the average user. I don't really know whether this is more or less difficult to address than the first item. The fact is that most users don't give a damn about security, at least not until their identity gets stolen or their data gets deleted or $AUTHORITY_FIGURE knocks on their door asking why their machine is attacking other machines. This appears to be because they don't see their security as their responsibility; they feel that this is entirely $VENDOR's problem. That they would feel this way is a foreseeable consequence of widespread "more convenient and easier to use than ever!" marketing, since this sets up the expectation that it will Just Work with no effort. While it would be easy to blame this on Microsoft since they have profited handsomely from it, I personally believe that this is an aspect of our general instant-gratification culture that effectively says nothing is worth putting any time and effort into; Microsoft merely had the business sense to realize that catering to it is the path to profit. It's difficult to seriously blame a company for doing something when nearly everyone is rewarding them for it. Because of this, if you try to educate people regarding things like system security, what you will find is that not only are most users ignorant, they don't WANT to learn. They see "all that technobabble" as an inconvenience, yet they insist on using equipment that requires some technical skill to properly maintain. This is something of a Catch-22 because Microsoft would build a much more secure Windows if no one would buy Windows otherwise, but average users with little technical skill are not going to create this kind of market.
Just like after-the-infection virus and spyware removal tools, this botnet detector is NOT a real solution, it's a form of damage control and should only be represented as such.What I really want to see a long-term plan for dealing with those two points. Until these factors change, we are going to keep having the same kind of problems again and again as the arms race between blackhats and whitehats continues. You are never going to have perfect security, but the current situation where one piece of malware can do tremendous damage on a massive scale is a situation that many people have worked very hard to bring about. Too bad that in a superficial society like ours, we have a huge phobia of actually addressing the roots of our problems because we keep hoping to find some form of an "easy way out" of situations that took a long time to become what they are.
Don't forget lousy design... (Score:2)
Re: (Score:2)
Re: (Score:2)
First, ActiveX in theory *is* whitelist-only. Whitelisting is basically what the "security zones" model is all about. And it doesn't work. The only thing that actually works is providing a strictly restricted API.
Second, no product implemented this functionality before Microsoft did,
Re: (Score:2)
Re: (Score:2)
The alternative to ActiveX is hard-sandboxed scripts and applets that provide no mechanism for the sandboxed code to ask the user for access outside the sandbox, let alone automatically getting it if they "smell right".
Since every other HTML implementation in the world, including the ones used by Firefox and Safari, take the alternative path, and the alternative path is the only option if you're not running Windows, then I guess I like the alternat
Re: (Score:2)
Re: (Score:2)
OK, I think you have a really deep and fundamental misunderstanding somewhere about what I wrote.
This is not about Java. This is not about Java vs Flash, or even Java vs ActiveX.
This is about ActiveX.
The alternative path is, basically, everything but ActiveX. EVERYTHING. Flash. Java. Javascript. Embedded Postscript and SafeTcl and all the other technologies that never took off. Out of all the applet technologies for the web that's ever gotten past the starting gat
Re: (Score:2)
It's just an analogy; once its point is made, it's no longer useful. Take it as far as you like.
Re: (Score:2)
ISPs won't implement it anyway. (Score:2)
Re:ISPs won't implement it anyway. (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
99.9% detection... until the botnet makers adjust (Score:1)
Similarly, you can eliminate SPAM in the lab, but the moment you release it, the SPAM makers will adjust their strategy. That's how arms races work. So get back with us once your solution is still working 6 months from now.
Simple solution... (Score:2)
Re: (Score:2)
It must be nice to cling to an ideology so tightly that you can ignore practical concerns in order to follow it.
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:2)
It's not a case of "clinging to an ideology". I don't want people with festering sores near me stinking the place up with their germs, and I don't want people with computers running Windows flooding the Internet with their spam and viruses.
Re: (Score:2)
Zero false positives? hahahahahahahaha (Score:2)
Now there are certain behaviors that bots exhibit even when they are quiet waiting for commands. So looking at network traffic alone, if you have a bunch of hosts all talking to the same server for a long, long time (days, weeks, hours), that seem to move in unison, you probably have a botnet. This is differnet than
Re: (Score:2)
I wrote a book when I was a grad student. Should I have been forced to give it away? I was in a state grad school at the time and the bulk of the cost of my education was indeed